This is the second of a two-part Q&A on mobile device security with Kevin Johnson, a security consultant and founder of Secure Ideas. The first part dealt with mobile device security policy. As a SANS instructor, he teaches courses in Mobile Device Security, as well as penetration testing. Kevin is on the Advisory Council of the first Mobile Device Security Summit, to be held March 12-13 in Nashville, Tenn., where he will teach his SANS course March 14-15. In this post, Kevin talks about mobile device security threats and how to mitigate risk.

Security Bistro: When we talk about mobile threats, what should companies be most concerned about?

Kevin Johnson: That’s actually a pretty simple question to answer unless I was trying to sell you something, and then I’d have to wrap my stuff around against exactly what I was selling. The biggest risk for an organization is simply a matter of awareness. Our phones, our mobile devices have way more power, way more data on them. I still remember my first cell phone; comparatively it was a piece of junk. All it did was make phone calls. It barely had an address book. Now, my iPhone has more computing power than the majority of computers I’ve owned combined. Because of that, I have more data on it, more sensitive information. I have more access through it . My phone has the ability to connect remotely to networks and to access servers. The problem is that people treat the phones the same way they treat the flip phone that barely has an address book.

My company does physical pen tests; we break into buildings, trick people into letting us in., and we walk out with stuff. One of our favorite targets is to walk up to a desk, unplug the charging phone and walk out the door with it— with permission, of course. So we see these amazing computing devices with great data, great access, all of the keys to the kingdom a malicious attacker would want, sitting on a desk unlocked, charging. When the user walks back to the desk and you point out, ‘Hey, your phone’s sitting there,’ they say, ‘Oh yeah, it’s charging. From that phone, I can get access to your network; from that phone, I have all of your client data. I’ve done tests where I’ve gotten apps doctors and nurses are using that have medical records— on the phone. I went to a doctor’s office, and on the counter was a nurses phone, unlocked and open, running an app that the nurse was using to track the patients she was dealing with. There was medical information — allergies, what the patient was there for, their complaints, what medications they were on— sitting right there with their name, their date of birth . amazingly sensitive information. I said to the nurse, “you probably should not leave that there.”And she said, ‘Oh, it’s OK, it’s just my phone. The biggest problem we have is awareness. People need to understand those phones are sensitive.

SB: We’ve heard year after year this is the year of the mobile malware threat. Mobile malware is up sharply, although the numbers are still relatively small. Has mobile malware risen to the level of a serious security threat?

KJ: I’m not going to gt on the FUD [Fear, Uncertainty and Doubt] bandwagon of “OH! MOBILE MALWARE! But, it is a fact that these device are becoming more common, and we are seeing attackers using them. And trying to get into companies. Work is being done on malware; work is being done on client attacks that target mobile devices.

It goes back to that data thing: As an attacker, you’re interested in the easiest way to get to sensitive data. Where is that sensitive data now, in its easiest way to access? The mobile phone. We are starting to see more and more attacks focused on the devices. And we are seeing some reactions. Google announced, hey maybe we should be looking for malware on these applications, and so they implemented the Bouncer app.

SB: As an enterprise, what steps should be taking? AV on their employees’ phones?

There’s a couple of ways you can approach it. You can start installing the quote-unquote antiviruses that are available for phones. So if you want to bring your own device in, if it’s an Android device, we will ask you to run antivirus on it. To be honest, that isn’t very effective, mainly because antivirus isn’t really available for phones. The majority of phones out there don’t have any capability for running antivirus.

And I’ve got to ask, how effective is antivirus? Let’s talk traditional antivirus. As a pen tester, it takes me between 15 and 45 seconds to bypass antivirus on most organizations’ computers. It’s trivial. As a focused, targeted attacker, antivirus is a bump in the road.

SB: What can enterprises do to mitigate the risk, then?

KJ: The next thing to start looking at, what I actually like better, is, OK you’re adopting the BYOD idea. Let’s restrict what it can connect to. Let’s treat those mobile phones as external devices. Now, when someone wants to remotely access your network from home, what do they do? They connect to your Citrix server, they log in, they’re on your network. You have prevented, divided that personal home device from your internal network. Basically, they just see a presentation layer. The malware sitting on that home computer isn’t attacking your internal network.

Let’s treat the phones the same way. When you connect to the wireless infrastructure with a phone, you’re on a guest network. If you want access to internal resources, well Citrix has a viewer for every major phone platform. Let’s use it. Let’s treat these BYOD devices as exactly what they are: non-organizational potential threats.

SB: A lot of enterprises use mobile devices to access major business applications, such as SAP. How should they approach security in those cases?

KJ: If you have to allow something like SAP. I don’t want to expose SAP to my Internet connection — good idea. If I want to have the SAP app running on a phone, I don’t force them through Citrix for that, but I do force them into an extranet system that is protected and monitored and much more locked down than the internal network. We’re still isolating them, not to the level something like Citrix would provide, but we’ve accepted the additional risk and we’re controlling it.

For organizational phones, absolutely, you should be looking at MDM. But when we are talking about BYOD, MDM becomes much harder, for the same reasons that policy is much harder. You can’t lock the phone down to the level I could if it was an organizational phone. What you should look for is the most control, the best reporting capabilities and the most flexibility. Make sure supports the MDM solution has the best coverage control-wise. I also want the most flexible reporting: I want to be able to pull a report that says, what is last time I touched this phone, how in compliance is it?

As an organization following BYOD, make sure your policy limits what the device is. For example, If it’s not Android 3, don’t talk to me — you can buy new phones today running Android 1.3, which has major security holes.